Ngrep
From Christoph's Personal Wiki
ngrep strives to provide most of GNU grep's common features, applying them to the network layer. ngrep is a pcap-aware tool that will allow you to specify extended regular or hexadecimal expressions to match against data payloads of packets. It currently recognizes IPv4/6, TCP, UDP, ICMPv4/6, IGMP and Raw across Ethernet, PPP, SLIP, FDDI, Token Ring and null interfaces, and understands BPF filter logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop. It was written by Jordan Ritter.
Usage
Note: See here for detailed examples.
In the following examples, it is assumed that eth0
is the used network interface.
- Example: Basic Packet Sniffing
$ ngrep -d any port 25 $ ngrep -d any 'error' port syslog $ ngrep -wi -d any 'user|pass' port 21
- Example: Debugging HTTP interactions
$ ngrep port 80 $ ngrep -W byline port 80
- Example: Processing PCAP dump files, looking for patterns
$ ngrep -O /tmp/dns.dump -d any -T port domain $ ngrep -w 'm' -I /tmp/dns.dump $ ngrep -tD ns3 -I /tmp/dns.dump $ ngrep -I /tmp/dns.dump port 80
- Monitor all traffic not going over port 22 (i.e., SSH):
$ ngrep not port 22 | strings 8
- Monitor all traffic coming from a certain host:
$ ngrep host 192.168.0.103
- Capture network traffic incoming/outgoing to/from eth0 interface and show parameters following HTTP (TCP/80) GET or POST methods
$ ngrep -l -q -d eth0 -i "^GET |^POST " tcp and port 80
- Capture network traffic incoming/outgoing to/from eth0 interface and show the HTTP (TCP/80) User-Agent string
$ ngrep -l -q -d eth0 -i "User-Agent: " tcp and port 80
- Capture network traffic incoming/outgoing to/from eth0 interface and show the DNS (UDP/53) querys and responses
$ ngrep -l -q -d eth0 -i "" udp and port 53
- Show the query and results of
SELECT
queries going to your MySQL server:
$ ngrep -d eth0 -i 'select' port 3306
- Show the query and results of all queries going to your MySQL server:
If the following MySQL query returns the following:
$ mysql -B -e 'select * from foo;' sandbox
id name age 1 Bob 23 2 Alice 20
Watch the traffic via `ngrep`:
$ ngrep -W byline -d lo -i "" port 3306
interface: lo (127.0.0.0/255.0.0.0) filter: (ip or ip6) and ( port 3306 ) #### T 127.0.0.1:3306 -> 127.0.0.1:55741 [AP] [... 5.5.43-0ubuntu0.14.04.1.....!!!#+N'v...................?wZ=bUblw5=t.mysql_native_password. ## T 127.0.0.1:55741 -> 127.0.0.1:3306 [AP] [...........!.......................sandusr...e....=_.P`..W...mQ.sandbox.mysql_native_password. ## T 127.0.0.1:3306 -> 127.0.0.1:55741 [AP] ........... # T 127.0.0.1:55741 -> 127.0.0.1:3306 [AP] !....select @@version_comment limit 1 # T 127.0.0.1:3306 -> 127.0.0.1:55741 [AP] .....'....def....@@version_comment..!.........................(Ubuntu)......... # T 127.0.0.1:55741 -> 127.0.0.1:3306 [AP] .....select * from foo # T 127.0.0.1:3306 -> 127.0.0.1:55741 [AP] .....'....def.sandbox.foo.foo.id.id.?.......B...+....def.sandbox.foo.foo.name.name.!...........)....def.sandbox.foo.foo.age.age.?.................."......1.Bob.23.....2.Alice.20.......". # T 127.0.0.1:55741 -> 127.0.0.1:3306 [AP] ..... ###
See also
- nmap — network exploration tool and security scanner[1]
- tcpdump — dump traffic on a network[2]
- snoop — capture and inspect network packets
- netcat (aka nc) — a featured networking utility which reads and writes data across network connections, using the TCP/IP protocol.[3]
- Netfilter
- NetCalc
- Whois
- Nagios — an Open Source host, service, and network monitoring program.
- Wireshark — network protocol analyser
- flowgrep — a basic IDS/IPS tool written in Python as a way to help you investigate and manage your network.
- tcpreplay — replay network traffic stored in pcap files